Bitwarden keeps user data secure with 256-bit AES encryption — the same encryption used by banks and governments around the world — so you can feel secure storing your information on Bitwarden’s cloud servers. However, if you’re worried about your data being compromised in the cloud, Bitwarden also offers the option for local data storage. The recommended approach for exposing Bitwarden outside of your local network is by using a reverse proxy. In this tutorial, I will be using Nginx Proxy Manager which will be hosted on the same Raspberry Pi. If you’d like to use Nginx Proxy Manager, you can learn how to set it up here.
Password managers are very useful utilities that store (and generate) unique and lengthy passwords. Many utilities exist to store passwords locally (pass, EncryptionWizard, etc), but I need my passwords synced across several devices. Dozens of password managers exist that perform multi-device sync. But, many services require storing passwords on their servers. Some allow storing encrypted stores on your cloud (Dropbox, OneDrive, etc). However, I want my password stores to exist 100% under my local control. ARM development boards, like the Beagle Bone Black Wireless, provide a nice low-cost, low-power platform to run a password manager store. Additionally, the device can be easily powered down to take the password store offline. A Raspberry Pi should also work, but I was lacking one on hand.
Bitwarden is the only open source password manager I've discovered that allows self-hosting the server and also provides open source iOS, Android, Linux, OS X, and Windows clients. Unfortunately, the official Bitwarden server does not support ARM because of a mssql
dependency. Joshua Stein wrote a nice Ruby server supporting the Bitwarden API that can be self-hosted on ARM devices. (Servers written in golang and Rust also exist.)
Running rubywarden on the Beagle Bone Black Wireless only allows syncing passwords between devices when they are on the same network as the BBBW. Trading the 'inconvenience' of local-only sync for 100% control of my password store is well worth it, in my opinion.
Note: 8bit Solutions LLC has graciously open sourced Bitwarden. Show your support for open source companies by purchasing a premium membership even if you self-host. High quality software does not write itself.
Initial Setup
- Install dependencies
# apt-get install bundler libsqlite3-dev
# gem install bundler
- To slightly improve security, a utility account named
rubywarden
will be used to run the server.
# adduser --disabled-password --disabled-login rubywarden
Clone the
rubywarden
repository into/opt
$ cd /opt
# git clone https://github.com/jcs/rubywarden
# chown -R rubywarden /opt/rubywarden Guitar rig 5 mac os catalina.
# sudo su rubywarden
Create the necessary directory structure for
rubywarden
$ cd rubywarden
$ mkdir -p db/production
Install the necessary ruby dependencies
$ bundle install
Before the first run, the
rubywarden
database must be initialized$ env RACK_ENV=production bundle exec rake db:migrate
rubywarden
does not allow new user sign-up unless the environmental variableALLOW_SIGNUPS
is true. To launch the server and allow sign-ups run the following command. Subsequent launches do not require the environmental variable.$ env RACK_ENV=production ALLOW_SIGNUPS=1 bundle exec rackup -p 4567 config.ru
Bitwarden provides a variety of client installs. Choose the appropriate one and click the gear icon on the splash screen to add the self-hosted server.
- Create an account and start managing passwords! Note: If testing with the iOS client, please read the dedicated iOS section below.
systemd
It's really useful to have rubywarden
run when the BeagleBone is powered up. Writing a systemd unit file to provide startup functionality is fairly straightforward.
Create /etc/systemd/system/rubywarden.service
and add the following:
Enable and start the service. Use journalctl -u rubywarden
to debug any issues.
Compatility with iOS app
The Bitwarden AppImage seems to function just fine without rubywarden
using HTTPS. By default, it is only using HTTP. However, the iOS client requires HTTPS.
In order to support HTTPS, the Apache webserver (already running on the BBBW) will be configured to serve HTTPS and function as a proxy to the rubywarden
server. Since rubywarden
is not internet accessible, Let's Encrypt certificates don't make sense; instead a self-signed certificate will be used for HTTPS. In order for the self-signed certificate to be usable on iOS, a Certificate Authority certificate will need created and installed on the iOS device.
Note: Apple changed trusted certificate requirements in iOS 13 requiring an extendedKeyUsage
flag to be set in the certificate.
Create the CA certificate
$ openssl genrsa -out rubywardenCA.key 2048
$ openssl req -x509 -sha256 -new -key rubywardenCA.key -out rubywardenCA.crt -subj /CN='rubywarden CA'
Send the
rubywardenCA.crt
certificate to the iOS device via e-mail and follow the prompts to install. After installation, use the Settings app to navigate toGeneral->About->Certificate Trust Settings
and togglerubywarden CA
on. This means that iOS will treat any certificate signed by the CA as a valid HTTPS connection.Generate a certificate for Apache to use
$ openssl genrsa -out rubywarden.key 2048
$ openssl req -new -out rubywarden.req -key rubywarden.key -subj /CN=beaglebone.local
$ openssl x509 -req -sha256 -in rubywarden.req -out rubywarden.crt -CAkey myCA.key -CA myCA.cer -days 365 -CAcreateserial -CAserial serial -extfile <(printf 'extendedKeyUsage = serverAuthnsubjectAltName=DNS:beaglebone.local')
The keys created above can be used to perform mitm attacks if they are compromised. To improve security (slightly, the SD card can just be removed from the BBBW) move them to
/root/certs/beaglebone.local/
and make the keys read-only.# mkdir -p /root/certs/beaglebone.local/
# mv rubywarden.* /root/certs/beaglebone.local
# chmod 400 /root/certs/beaglebone.local/*.key
Finally, set up Apache to serve as an HTTPS proxy. Append the following VirtualHost entry to
/etc/apache2/sites-enabled/000-default.conf
Relaunch Apache with# systemctl restart apache2.service
after making the edits.
Did your security posture improve because of this post? Consider saying thanks by using my Amazon Affilliate URL and help to keep this site ad & analytics free.
Bitwarden Local Only Internet
This page outlines my personal set up with Bitwarden secrets for Home Assistant.
Bitwarden installation
You can easily install Bitwarden RS for Home Assistant from the Add-on Store. Bitwarden is a community maintained add-on available from the Home Assistant Community Add-ons repository.
Home Assistant organization
We need to do some basic management with Bitwarden to set it up for usage with Home Assistant. This is all done through the Bitwarden web interface.
Creating your personal user
After installing and starting the Bitwarden RS add-on, I recommend that you create your personal user. With this user you can use Bitwarden in general from any device.
Creating a Home Assistant user
We are also going to create a Home Assistant user. This user is only needed by Home Assistant. Since we have a local Bitwarden installation I recommend setting the user id / e-mail address to: homeassistant@localhost.lan
indicating this is a local user only.
You can use the Bitwarden password generator to generate a secure password for this user.
Disable new registrations
When you have Bitwarden exposed to the internet (ie. through a reverse proxy like Traefik) I recommend disabling new user registration after you have created all of your users. This will keep unwelcome guests out of our local install.
You can do this by browsing to the Bitwarden RS suffixed by the /admin/
path. So for instance: 'http://192.168.0.10:7878/admin/'. To access the admin panel you will need your personal access token which can be found in the add-on log.
If the admin token isn't visible (anymore) in the Bitwarden RS log you can also retrieve it through Docker and SSH with the following command:
This will print your admin token.
Note
Autodesk fusion 360 free download for mac. This is an optional step.
Creating a Home Assistant organization entity
Finally we are going to create a Home Assistant organization in which we can easily manage our Home Assistant secrets.
Stamp. First we are going to go to Settings ➡ Organizations and click New Organization. We set the Organization Name to Home Assistant and you can set anything in Billing email.
After creating, we go to this newly created organization and click the Manage tab.
We are going to invite our earlier created Home Assistant user by clicking the ➕ Invite User tab.
Note
We want this user to have access to all items!
Finally we are going to confirm this user to have access to our Home Assistant organization. The user should automatically already have accepted the invite.
Now we are done with setting up the correct environment for Home Assistant to retrieve our secrets.
Adding secrets
Adding secrets for use in Home Assistant is fairly trivial. You can add items through the web interface or through any of Bitwarden's apps. The only thing you should take care of is adding the item to the correct organization.
Installing Bitwarden secrets for Home Assistant
Follow these steps to get the add-on installed on your system:
Bitwarden Local Only Restaurants
- Navigate in your Home Assistant frontend to Supervisor -> Add-on Store
- Add this new repository by URL (
https://github.com/alex3305/home-assistant-addons
) - Find the 'Bitwarden secrets for Home Assistant' add-on and click it.
- Click on the 'INSTALL' button
Configuration
Bitwarden Local Only Connection
Just fill in your Home Assistant Bitwarden user, password and organization name into the add-on and you are good to go.
Bitwarden Local Only Access
You can also enable repeat mode, which will retrieve your secrets at every interval automatically without the need to restart the add-on.
Comments are closed.